After you've added your CA certificate within android, if not using Tor and going local only you have to (in my experience anyway) use split tunneling on your VPN app and add Nextcloud and Firefox beta etc to not run through the VPN. Then disable block connection without VPN within the Android settings.

I also had to temporarily add Firefox beta as the default browser, and make sure you set the toggle to trust CA certificate in Firefox beta developer options.

Once that's a done revert back to using Vanadium as the default browser.